Feature #10022
Have experts review our revocation mechanism of Tails signing key
100%
Description
This ticket is about sending https://tails.boum.org/doc/about/openpgp_keys/signing_key_revocation/ to a bunch of smart people and ask them to review and comment on it.
We mentioned dkg.
Subtasks
Related issues
Related to Tails - |
Resolved | 2018-05-16 |
History
#1 Updated by sajolida 2015-08-14 09:50:18
- Parent task set to #7700
#2 Updated by sajolida 2015-08-14 09:51:57
- blocked by #10023 added
#3 Updated by sajolida 2015-09-13 07:06:26
- Subject changed from Have experts review our revocation mechanism to Have experts review our revocation mechanism of Tails signing key
#4 Updated by bertagaz 2015-09-23 01:22:50
- Target version changed from Tails_1.6 to Tails_1.7
postponing
#6 Updated by sajolida 2016-08-30 03:29:46
I’d wait until we distributed their shares to different people so we do some testing and refining of our introductory text beforehand.
#7 Updated by sajolida 2016-11-09 17:15:42
Someone said it would be good to have a check-in mechanism to verify that people in the scheme are still reachable and have their share. You know, people change e-mail addresses, or stop checking some old accounts.
#8 Updated by intrigeri 2017-01-09 18:28:52
emmapeel, what’s your timeline on this one? FYI we’re almost done setting up this mechanism.
#9 Updated by cypherpunks 2017-01-12 04:03:42
Are you looking for review of the of the cryptography itself, or the threat model? Because Shamir’s Secret Sharing provides information theoretic security, of course.
#10 Updated by intrigeri 2017-01-12 07:09:58
> Are you looking for review of the of the cryptography itself, or the threat model?
I doubt the biggest problems of this mechanism lie in the crypto being used, but IMO generally auditors should take developers’ intuition with a grain of salt, and look for problems wherever they think they might find any :)
#11 Updated by sajolida 2017-08-03 18:25:11
- Description updated
#12 Updated by sajolida 2017-08-03 18:25:29
The next step could be to suggest a list of smart people and ask for more on tails-project maybe…
#13 Updated by sajolida 2017-08-03 18:28:54
- Target version set to Hole in the Roof
#14 Updated by emmapeel 2017-08-03 20:31:26
One person suggested it may be not robust enough to rely on only one mailing list…
#15 Updated by dkg 2017-08-06 16:44:57
It would be good to know what kind of review you’re looking for. just an e-mailed response that will never be published? some sort of public review, comparing it to other policies? suggestions for improvements in the form of bug reports? plaudits for media consumption?
all of these things are pretty different from each other, so just a generic “asking for review” might be improved with more details.
#16 Updated by sajolida 2017-08-15 12:21:40
> It would be good to know what kind of review you’re looking for.
> just an e-mailed response that will never be published?
That’s possible.
> some sort of public review
That’s also possible but a less formal review works as well.
Sending a mail to tails-project@ would be in-between a very formal
review and an email that will never be published and work as well (maybe
that would be our preferred option in terms of cost-benefit for the
reviewers and the transparency of the process).
> comparing it to other policies?
That would be super interesting though we didn’t think of that so far.
Maybe pointers to other similar policies would be good as a start.
> suggestions for improvements in the form of bug reports?
That would be more work for the reviewers and I don’t think that’s needed.
> plaudits for media consumption?
Not really :)
The goal here is more to fix issues in the current document while
putting as little overhead on the reviewer’s shoulders as possible.
#17 Updated by BitingBird 2017-08-28 19:50:38
emmapeel, do you still plan to do that?
#18 Updated by emmapeel 2018-02-15 10:23:39
- Status changed from Confirmed to Resolved
I consider this done, although if somebody wants to ask more experts is never bad.
I mean, this should be a continous process.
#19 Updated by cypherpunks 2018-06-05 01:07:10
While this has been resolved, I would like to point out that it would be much better if the signing key were stored on a smart card or a HSM. Simply storing it on an encrypted drive makes it much easier to exploit the revocation key-holders. Keeping it on a cheap smart card would not be too much to ask for the key-holders and would greatly improve security.
#20 Updated by intrigeri 2018-06-05 07:41:07
> While this has been resolved, I would like to point out that it would be much better if the signing key were stored on a smart card or a HSM.
See https://tails.boum.org/doc/about/openpgp_keys/#signing. The full master key is not stored anywhere and the subkeys are stored on smartcards :)
#21 Updated by intrigeri 2018-11-17 16:21:50
- Status changed from Resolved to In Progress
- Assignee deleted (
emmapeel) - % Done changed from 0 to 50
(email backlog, yeah.)
emmapeel wrote:
> I consider this done
Well, not entirely: we’ve not acted at least on one piece of feedback <5b248ab8-2262-1253-31e7-98bbcf95dafb
riseup.net>@ we’ve received. Paraphrasing: we currently have no way to ensure that folks still have access to their share and that the place where it’s stored is still considered safe. So reopening this ticket (asking folks to review is one part of it, ensuring we take their feedback into account is another one). Suggested action: set up a process to email them all every two years.
> I mean, this should be a continous process.
Sure!
#22 Updated by sajolida 2018-11-19 14:36:49
- related to
Feature #15604: Act on the reviews of our revocation certificate mechanism added
#23 Updated by sajolida 2018-11-19 16:29:07
I added 3 action items to Feature #10022 some months ago and answered our reviewer (“Re: rev”, 2018-05-16).
Sorry I didn’t add a relationship with this ticket until now.
#24 Updated by Anonymous 2019-03-08 15:41:04
- Status changed from In Progress to Resolved
- Target version deleted (
Hole in the Roof) - % Done changed from 50 to 100